Google Search over SSL has an oops

Google now provides SSL encryption capabilities for their search function. But, there is a problem that you need to be aware of.

Google now provides SSL encryption capabilities for their search function. But, there is a problem that you need to be aware of.

———————————————————————————————————————————

According to Google's Web Search Help blog, the search giant has decided it's important to keep search inquiries from the prying eyes:

"With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience."

TechRepublic's Chad Perrin recently penned an article about the benefits of SSL-encrypted Web searches. He also advises caution as some searches are not protected by SSL encryption and under certain circumstances SSL is vulnerable.

When I learn that an application claims to use SSL, I like to check and make sure for myself. Sometimes there are surprises and when it comes to security; that's not a good thing. I fired up Wireshark and, as stated above, the search traffic was gibberish as shown below:

Click to enlarge.

That's great. But I did see something in the packet traffic that I didn't understand, so I went to Laura Chappell's Web site. I have taken several of her classes and consider her one of the foremost experts when it comes to analyzing packets. I did not find what I was looking for, but I did come across quite a surprise.

"Google takes a snapshot of each page examined as it crawls the web and caches these as a back-up in case the original page is unavailable. If you click on the "Cached" link, you will see the web page as it looked when we indexed it. The cached content is the content Google uses to judge whether this page is a relevant match for your query."

To their credit, if the cached link is clicked on, you will know it. Google prominently displays a window explaining the loaded page is a snapshot of the actual Web page and may not be current:

Click to enlarge.

Ms. Chappell found out that the cached link traffic is not encrypted. I went back to testing, and sure enough, if the cached link is clicked on, it reverts back to http. Notice the URL in the above slide.

Search query sent unencrypted

That's to be expected, but what's not expected is that the original search information is sent to the Google Web-cache server in the clear. Let's see if we can capture that. The first slide below is the response to my DNS query for webcache.googleusercontent.com. That's where the cache is located:

Click to enlarge.

The next slide is that of the traffic my computer is sending to webcache.googleusercontent.com. As you can see, the highlighted packet contains my original search query:

Click to enlarge.

Final thoughts

According to Google's above statement, all search traffic is supposed to be encrypted between our computers and their servers. It's not in all cases, and I felt it important to make sure everyone is aware of that.